diff options
| author | Evgeny Egorochkin <phreedom@yandex.ru> | 2013-08-23 14:47:42 +0300 |
|---|---|---|
| committer | Evgeny Egorochkin <phreedom@yandex.ru> | 2013-08-23 14:50:14 +0300 |
| commit | f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2 (patch) | |
| tree | 0fd4bf36ae905af412a088ca13cbcfc11ab0b193 /modules | |
| parent | f4207269361d5bdbb929d64ab6ba4a5319ac7056 (diff) | |
| download | nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.tar nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.tar.gz nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.tar.bz2 nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.tar.lz nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.tar.xz nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.tar.zst nixlib-f8a6fa774e4e0e31c1bfdbd73bffd2d2dfa2e5d2.zip | |
SSH daemon: change default key size for RSA, add alert for weak keys.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/services/networking/ssh/sshd.nix | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix index e9df8dd3cf6b..0c70ebd716c4 100644 --- a/modules/services/networking/ssh/sshd.nix +++ b/modules/services/networking/ssh/sshd.nix @@ -16,19 +16,27 @@ let v == "no"; hostKeyTypeNames = { - dsa1024 = "dsa"; - rsa1024 = "rsa"; + dsa1024 = "dsa"; # DSA has a key size limitation due to standards + rsa3072 = "rsa"; ecdsa521 = "ecdsa"; }; hostKeyTypeBits = { - dsa1024 = 1024; - rsa1024 = 1024; - ecdsa521 = 521; + dsa1024 = 1024; # =80 bits of security + rsa3072 = 3072; # =128 bits of security + ecdsa521 = 521; # =256 bits of security + }; + + # equivalent to 112 bit of security strength. Anything below this is very unsafe. + hostKeyTypeSafeBits = { + dsa1024 = 2048; + rsa3072 = 2048; + ecdsa521 = 255; }; hktn = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeNames; hktb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeBits; + hktsb = attrByPath [cfg.hostKeyType] (throw "unknown host key type `${cfg.hostKeyType}'") hostKeyTypeSafeBits; knownHosts = map (h: getAttr h cfg.knownHosts) (attrNames cfg.knownHosts); @@ -171,7 +179,7 @@ in hostKeyType = mkOption { default = "dsa1024"; description = '' - Type of host key to generate (dsa1024/rsa1024/ecdsa521), if + Type of host key to generate (dsa1024/rsa3072/ecdsa521), if the file specified by <literal>hostKeyPath</literal> does not exist when the service starts. ''; @@ -269,7 +277,7 @@ in stopIfChanged = false; - path = [ pkgs.openssh ]; + path = [ pkgs.openssh pkgs.gawk ]; environment.LD_LIBRARY_PATH = nssModulesPath; environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive"; @@ -281,6 +289,13 @@ in if ! test -f ${cfg.hostKeyPath}; then ssh-keygen -t ${hktn} -b ${toString hktb} -f ${cfg.hostKeyPath} -N "" fi + + result=$(ssh-keygen -lf ${cfg.hostKeyPath}|awk '{ print ($1>=${toString hktsb}?1:0)}') + if [ "$result" -ne "1" ]; then + ERROR="SECURITY ALERT: SSH Host Key is too weak. Generate a strong key NOW." + echo "$ERROR" + echo "$ERROR" > /dev/console + fi ''; serviceConfig = |